The #black #white and #grey of #hacking

IN the words of one of Michael Jackson’s biggest hits, “it don’t matter if you’re black or white”. But when it comes to the clandestine, off-grid world of hacking, the distinction between the two is vital. And it does seem to come down to a case of good versus evil in a cyber attack – extremely clever computer geeks nobly fending off attacks from other extremely clever computer geeks maliciously working to take down a system, sabotage a company, steal your life. Where do they draw the line?

Hackers fall into two main camps, working on opposite sides of the law: white hats and black hats. More formally, white hats are known as ethical hackers or penetration testers. They are employed to deliberately do what black hat hackers do, except that they do it with the full knowledge of the company in order to test its cyber defences, reinforce weak points and seal unlocked windows.

White hats todayare increasingly sought after – and well rewarded – by corporations seeking added protection to secure sensitive data. As attacks grow more sophisticated and frequent, even with firewalls and antivirus software in place, the need to be able to fight cyber crime is beginning to sink in.

According to the Symantec Internet Security Threat Report April 2017, more than 357 million malware variants were released by attackers globally in 2016. The report added that the average number of identities stolen per breach in 2016 jumped to almost one million – the highest average of the last three years.

In May this year, the WannaCry malware-based attack was unleashed worldwide in a devastating infection that affected about 500 Singapore IP addresses in Singapore. A month later came The notPetya malware, which was reported to have cost Global pharma giant Merck US$135 million in revenue.

Daryl Pereira, head of cyber security, KPMG in Singapore, tells The Business Times that demand for penetration testers is growing by the day and it is seen across both government agencies and private sectors.

“They’re in demand because they have a unique skill set to improve the cyber security of companies. The profession is maturing. The sectors under attack are also those that are demanding more cyber security professionals,” he says.

In the last 12 to 18 months, the team has seen a rise in one particular type of malware known as ransomware. Mr Pereira points to several reasons why such attacks are becoming more successful. Attackers are now allowing payment of the ransom by bitcoin, and more individuals or companies targeted are choosing to pay the ransom rather than risk losing their data. The rise of malware-based attacks is also linked to the use of e-mail as the delivery mechanism (called the attack vector), and malware lurking in websites that many people visit regularly, such as free streaming sites or pornography.

“The majority of malware/ransomware attacks can be prevented if organisations follow basic security hygiene like patch management, keeping their antivirus updated, backup and recovery processes, (and) perform regular vulnerability assessments. In the case of WannaCry and notPetya ransomware attacks… Microsoft released a patch two months before (the) WannaCry attack, and if organisations had patched their Microsoft systems on time, the ransomware attacks could have been prevented,” he says.

Elizabeth Tan, consultant, information & cyber security/governance, risk & compliance, technology, Robert Walters Singapore, sees that there will be increased hiring in cyber security over the next six to eighteen months.

“Organisations are being more proactive in ensuring that they will be well-prepared in the event of a cyber attack. Thus, more organisations are hiring security operations centre teams, and vulnerability assessment and penetration testing (also known as ethical hackers) teams.”

Hackers are getting better too. Henry (not his real name), an ethical hacker from KPMG, observes that the technical skills of the interns he manages are getting better compared to previous years.

“When we hire ethical hackers, we give them one hour to (find) as many vulnerabilities as they can. We see that they have the capabilities…to get their hands dirty with the testing,” he says.

A look at who’s hiring white hats shows the banking sector is the most concerned – and the most targeted. Robert Walters’ Ms Tan says the bulk of recruitment for penetration testers in Singapore tend to come from the financial sector, with firms within pharmaceutical, logistics and transportation sectors “starting to pay increased attention to information security and how they can improve their security posture”.

KPMG’s Mr Pereira sees the same trend: about 30-40 per cent of the work done for clients by his penetration testing team concerns the banking sector. Clients will hire the team once or twice a year to execute all kinds of vulnerability assessment and penetration testing hacks.

“What (black hats) are really going after is your personal data. When you think about banks, you think hackers want to steal money but what they’re really trying to steal is your identity.

“Healthcare companies don’t have as strong protection as banks do but the kind of data they have is very similar to what you have in a bank. Healthcare data is more rich because it has (a record) of your diseases and the things you’ve been treated for. I could steal that and blackmail you,” he says.

What’s also disconcerting is the fact that about 30 to 40 per cent of attacks are caused by insiders. So a company’s disgruntled staff could “open the backdoor and let the bad people in”.

“Cyber attackers are all agnostic. They go where the money is and where the weak defences are,” Mr Pereira says.

This is why user IDs of a company’s top management are under much higher protection. If information vital to the business or financial health of a company is leaked to its rivals, the public, or short-sellers, the resulting bad press and inevitable plunge in share price will do considerable damage.

According to the 2017 Data Breach Investigations Report by Verizon, 24 per cent of breaches around the world affected financial organisations and 15 per cent involved the healthcare sector. Other breaches came from public sector entities, and retail and accommodation. The study added that 25 per cent of breaches involved internal actors.

Yet what is being spent on cyber security is nowhere near enough, consultants say. “IT (spending) ranges anywhere from 5 to 20 per cent of total revenue of most companies. In general, what we found is of the 5 to 20 per cent of full revenue, security forms only about 5 per cent. Therein lies part of the problem (of) insufficient investment. What should be happening is that total spending for security should be about 1 to 5 per cent of your total budget,” Mr Pereira explains.

He adds that companies tend to budget their spending based on how exposed they think the business is to cyber attacks, but clients generally do not know how much to spend.

Research and advisory firm Gartner Inc found that worldwide spending on information security is expected to reach US$90 billion this year, an increase of 7.6 per cent over 2016, and will hit US$113 billion by 2020. Spending on enhancing detection and response capabilities is expected to be a key priority for security buyers through 2020.

Picking the locks

In the cyber security business, penetration testing is the last stage of preparing for a cyber attack. Ethical hackers are like “burglars you hire to pick the lock” to see if the systems can be broken into.

Since it is the last stage of the testing process, KPMG’s Henry says that a big challenge facing penetration testers is that clients push the security tests to the last minute, leaving the team little time to find vulnerabilities. “We’re always short of time whereas hackers out there have all the time in the world to test, to break into it, but in real life, we have a very short amount of time,” he says. The testing process can stretch between a few days to three weeks.

Mr Pereira says: “If it’s a live system, it’s done during off-peak (hours). For example, for a bank’s Internet banking website, we will do that when there’re less customers. In case we actually manage to hack too hard and crash the system, there’s limited impact to the client.

“To catch a crook, you’ve got to think like a crook so one of the key traits is that they’ve got to be equally cunning.”

Intriguingly, a lot of the “best catchers” come from Central Asia like Kazakhstan, Eastern Europe like Bulgaria, Romania, Poland, Russia, and even South Iran and Israel, says Mr Pereira. Many good candidates have also emerged from China, North Korea and the US.

While there are no official statistics on white hats in Singapore, according to the Infocomm Media Development Authority, about 3,700 were hired in cybersecurity job roles as at June 2016. In a report by PwC on Singapore’s cybersecurity industry outlook, an estimated 2,500-4,500 were employed full-time in cybersecurity jobs in 2015. The numbers are projected to grow between 4,400-7,900 by 2020.

KPMG’s Mr Pereira says that there are about 80 staff in the cyber security team at KPMG and approximately 15 are penetration testers. He would not disclose if they were full-time employees.

According to information on the CREST website, there are 26 companies listed, including Cisco and Ernst & Young, that provide penetration testing services in Singapore. CREST represents the technical information security industry that certifies the processes and procedures of member organisations.

Robert Walters’ Ms Tan says the majority of the penetration testers that the firm works with tend to be males aged between 24 and 35.

Depending on the industries they come from, salaries start at around S$4,000 per month, Ms Tan says. Those with five years of experience usually draw from S$7,000 to S$10,000 a month. And candidates with over eight years of experience can command anywhere between S$10,000 and S$12,000 monthly.

Wages for candidates in a cyber security role also tend to be slightly higher compared to someone in another IT-related role. On average, Robert Walters has seen a 10-15 per cent increment on base salaries in the last couple of years when IT candidates move on to another company.

For cyber security candidates, however, increments are north of 20 per cent. Ms Tan says that this is due to cyber security as a “candidate-short market” and the nature of the work in this field is niche. Some clients also consider hiring white hats from overseas due to the shortage here, she says.

“However, it is important to note that not all candidates stay within the vulnerability assessment and penetration testing route. We have noticed candidates moving into different workstreams within information security as a natural progression after a few years,” she said.

What does it take? For a start, a background strong in mathematics, computer science and programming is the minimum. Candidates with Specialised certifications such as CREST, Offensive Security Wireless Professional, Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), will also command a premium. In fact, the CEH, one of the oldest certifications which goes back 20 years, is no longer considered good enough because passing the examination has become a breeze.

From trusted to turncoat

In an industry where vast amounts of information and knowhow are concentrated in the hands of a few, the moral waters are easily muddied. One major issue that has emerged from educating a growing pool of ethical hackers is the – maybe inevitable – birth of individuals who will abuse the knowledge for personal gain.

“Teaching students to hack in effect gives them a global knowledge of how to hack into computer systems with the help of subject matter experts,” wrote one study by the Geethanjali College of Engineering and Technology in India, published by the International Journal of Scientific & Engineering Research in 2013.

As the line between white and black is so fine, the switch from one to the other is not difficult, but the transition is, more often than not, towards the dark side. In some cases, an overlap of intentions gives rise to what are called grey hats.

Mr Pereira says: “The white hats have a code of ethics. They (draw) a lower pay and lack fame and glory in the hacker community. The black hats clearly want to make money, be famous, notorious, (and) like causing harm and chaos. They get a kick out of that.

“The grey hats are complicated. They’re people who have not decided what their moral code is. Maybe they don’t want to be evil but they want to be rich and so sometimes, they will bend their morals.”

Mr Pereira explains that sometimes, grey hats don’t do it for profit but instead see what they do as a service, although not through authorised means. “The problem is that (out of) 20 vulnerabilities, he might give 10 to the client and sell the other 10 to the black hats for them to exploit,” he adds.

Recounting an experience with a previous intern working in the firm, Mr Pereira and his team found a potential black hat as the techniques he talked about “are not what we do in the white hat community”.

“We watched him for another week before we packed him off. He bragged to the rest of the team that he hacked into the computer network in his school and changed his grades to A+,” he said.

As the grey areas in the hackosphere are many, ethical dilemmas spring up. What does a security specialist do, for instance, if he discovers elements of fraud in the company that is paying him to protect them? How should we view hackers acting as agents for watchdog organisations? Are they white knights or have they gone dark?

In the future, the Cyber Security Agency (CSA), set up by the Singapore government in April 2015, is looking to license the provision of penetration testing and managed security operations centre services. “The proposed licensing framework aims to help provide greater assurance of safety and security to consumers of cybersecurity services, address information asymmetry in the industry and provide for improving the standards of cybersecurity service providers and professionals,” a press statement said in July.

The reality is that cyber crime can only grow in an increasingly connected, increasingly online world. It seems that the white hats will always be fighting a losing battle. But not all is lost when it comes to upholding the law.

“The people on the good side of the law tend to be outnumbered by the baddies. Do we give up? No,” Mr Pereira says.